Hackers could use mobile apps to steal connected cars, says Kaspersky

Researchers from IT security company Kaspersky have warned drivers that internet-connected cars could be at risk of being stolen or remotely controlled as car makers rush out products without properly securing them.

Kaspersky’s Mikhail Kuzin and Victor Chebyshev warn in a blog post that by using proprietary mobile apps, it is possible to get the GPS coordinates of a car, trace its route, open its doors, start its engine, and turn on its auxiliary devices.

“On the one hand, these are absolutely useful features used by millions of people, but on the other hand, if a car thief were to gain access to the mobile device that belongs to a victim that has the app installed, then would car theft not become a mere trifle?,” they ask.

The company looked at several mobile apps from car manufacturers available from app stores and tested them to see if such code could be used to steal a vehicle or disable it.

They also analyzed whether or not developers of the car apps used methods to make reverse engineering of the app harder to carry out. “If not, then it won’t be hard for an evil-doer to read the app code, find its vulnerabilities, and take advantage of them to get through to the car’s infrastructure,” they said.

They also looked to see if car apps checked if a device was already rooted, as this may allow malware to take full control of a device. Tests were also carried out on apps to see if developers saved user credentials in plain text, verified that the user interface of the app was correctly displayed to a user (as malware can intercept this event by showing a phishing window with an identical GUI to the user and steal, for instance, the user’s credentials), and whether an app verifies itself for changes within its code or not.

The researchers noted that all of the apps turned out to be vulnerable to attacks in one way or another.

“It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can be targeted by malefactors,” said the researchers.

While the apps lack sufficient security, no attacks on cars have been witnessed nor have they detected malware containing code to download the configuration files related to these apps.

“However, contemporary trojans are quite flexible: if one of these trojans shows a persistent ad today (which cannot be removed by the user himself), then tomorrow it can upload a configuration file from a car app to a command-and-control server at the request of criminals. The trojan could also delete the configuration file and override it with a modified one. As soon as all of this becomes financially viable for evildoers, new capabilities will soon arrive for even the most common mobile Trojans,” said the researchers.

Better car security rules needed

Pascal Geenens, EMEA security evangelist at load balancing and cybersecurity specialist Radware, told Internet of Business that the problem proves that better rules and regulations from government safety bodies are needed.

“Security policies often lag behind rapidly evolving technologies, many of which are built on well-known or open systems with standard programming and networking, leaving wide open doors for hackers. Cars fall into this category, and the software behind them makes it dramatically easier for everyone from common criminals to terrorists to infiltrate a vehicle,” he said.

“When it comes to public safety, ‘best practices’ aren’t going to cut it. What we need are policies and testing that ensure the computer systems and software onboard cars are secure and robust enough to prevent today’s toughest hacks.”

Richard Stiennon, chief strategy officer at data security company Blancco Technology Group, told Internet of Business that carmakers should make the option of syncing data from mobile devices to the car’s infotainment system an ‘opt-in’ feature, to minimize the types and amounts of data that are stored.

“As a result, a driver’s contacts (from their phone) would be stored in a connected car on a case-by-case basis, meaning that car owners are more aware that they are syncing data with their car, rather than it just taking place automatically and without question.

“Manufacturers also should be responsible for providing a certain level of education to drivers about data security within connected cars. For example, drivers should remember a few simple tips of what they should not do,” he added.

“Don’t connect smartphones to the infotainment system just to charge the device. It’s safer to just use the cigarette lighter adapter than the car’s USB port to charge the device. This is because the USB connection may transfer data automatically.”

Rene Millman is a freelance writer and broadcaster who covers IoT, mobile technology, cloud, and infrastructure. In the past, he has also worked as an analyst for both Gartner and IDC. He has made numerous television appearances discussing the technology trends and companies that shape our lives.